How to shield hardware from security threats

Deterring threats through licensing

In a sign of the age we're in, almost every piece of hardware can now be manufactured with some form of internet connectivity.

This opens up a wealth of functionality and new possibilities with our devices, but at the same time exposes our possessions to online threats, which now have new avenues of attack.

With this in mind, we spoke to Flexera Software VP, Mathieu Baissac, about how manufacturers can protect their devices after they've been sold, and what consumers should be wary of in their increasingly connected homes.

TechRadar Pro: Clearly there are a growing number of security threats emerging on internet-connected devices, so how can manufacturers reduce hacker risk?

Mathieu Baissac: Unfortunately, there's no way to completely eliminate the risk of a software application being hacked, but there are things that can be done to reduce how easy it is to hack or to fix the problem when it happens.

Manufactures can reduce hacker risk by using licensing to protect their embedded software applications, ensuring only current/registered customers have access to the embedded software, and they are on the latest versions of their software in order to provide secure software updates to fix the problem quickly.

TRP: Are all devices connected to the internet at risk of being hacked? Or are some types more prone than others?

MB: Yes, millions of internet-connected devices are vulnerable to hackers. Embedded software that is not protected by licensing and monitored regularly are most prone for attacks.

TRP: What measures should device manufacturers take to mitigate the risks?

MB: Here would be my list of the most important things:

For applications that sit at the operating system level use tamper resistant licensing code to help reduce hacks

Invest the time to reverse engineer your embedded software on the device and make changes at the machine level if necessary and strengthen your protection

Ensure that the applications on your devices, mobile device management systems and other systems have an easy, automated mechanism for getting the latest security patches and updates as fast as possible

Encourage and incent your customers to register their devices

Encourage and remind your customers to upgrade firmware or software on these devices

Proactively monitor your devices for application issues

Monitor and track to make sure only authorized users are using your applications

TRP: How can device manufacturers ensure that their customers remain protected after the device has been sold?

MB: In order to ensure that customers remain protected from security risks, manufacturers must make sure they are on the most current versions of their software, and remotely monitor their devices to make sure the applications are running correctly.

TRP: The software driving the device is most vulnerable to attack. What can you do to reduce your risk of a potential security vulnerability exposed by the software application?

MB: Manufactures can reduce the risk of a potential security vulnerability exposed by the software application by implementing tamper resistant application code, that can be resistant to attack by malicious or mischievous people or programs, at the same time helps protect the application from theft; ensuring only current customers are entitled to use it.

TRP: Can you provide any examples of how manufacturers may use these measures to reduce hacker risk?

MB: Well the FDA (Food and Drug Administration) needs to be assured that medical devices are up to date with the latest software versions, patches and security fixes.

Hospitals should have the ability to remotely access their devices and run reports on all applications to make sure they are compliant and working correctly. If there is a problem, they need to have the ability to send a secure software update quickly and easily.

Manufacturers should also monitor appliance performance in the "connected home" to remotely diagnose device issues. Home appliances can be monitored for issues and software patches can be delivered to solve issues before the customer is even aware of the issue.

TRP: What can consumers do proactively take to reduce their risk of being hacked?